First, it is possible to use single logout behind a load balancer (we do it for a number of our critical applications), but it depends on the CAS client implementation. (Not all clients support single logout, and those that support it don't always work in a cluster.) It really seems that single logout is a requirement for your implementation, so I would pursue that route. Many implementations assume that the user is using a private machine or that users can be trained to shut down all browser windows (to ensure single logout) before allowing someone else to use the computer. If these are not true of your situation, you will want to enforce a policy that all CAS clients be configured to support single logout.
In our environment, we use single logout for most critical applications, but we also rely on private workstations and users closing browser windows for other applications. It would probably not be a good idea to disable local application sessions completely. Applications would probably not behave as expected. You could implement a back-channel callback for CAS clients to re-check the state of the user's server session, but this would require custom code in both the client and server and it would probably severely impact system performance due to increased network traffic. There are other single logout strategies that could be used (e.g. use a domain cookie indicate session state to clients within the server's domain), but they all would require code changes to the CAS server and clients. -Nathan From: Bryan Wooten [mailto:[email protected]] Sent: Friday, July 09, 2010 11:23 AM To: [email protected] Subject: RE: [cas-user] useSession=false problem Ok, sorry if this gets a bit long winded. The behavior I will describe below is causing one of our developers to scream, "Security Holes!". So I am doing my best mitigate his concerns and along the way I am trying to gain a deep understanding of the ins and outs of the CAS Client and Server. So here is the scenario, 2 users and 2 applications, using a Firefox browser. I access application 1 as user 1 and get redirected to CAS login. After login I can use application 1. Now I browse to the CAS logout URL and it says I am successfully logged out. Except as we know, I am not really logged out of application 1 (single sign is disabled for all applications because we are behind a load balancer). So here is the first "Security Hole", the user can still access the application without being asked to log in again. Now if I try to access application 2, I will be asked to login in again. So I login as user 2 and use application 2. Now here is the second "Security Hole". In application 1 I am still known as user 1 and in application 2 I am know as user 2. The developer feels that the second login should mean that application 1 should now see me as user 2. I believe all this is explained by the behavior of JSESSION IDs since each application gets its own jsession (but I could be way off on this assessment) I have no clue what would happen if I introduced a 3rd application into the mix. If I hit the 3rd application which login would it recognize? I am trying to find a way to make my applications always go back to the CAS server to see if the user has logged out via the CAS logout URL. I don't know if this is even possible without custom code. I am open to writing my own custom filter or modifying the CAS client itself. I was hoping some combination of renew = true or useSession=false would accomplish this. I have tried various combination of renew=true and useSession=false and different filter ordering, none of which I can get to work. So at this point I am planning on diving head first into the client code and figure out exactly what the parameters do and how they work. I also recognize that our applications should all have "logout" buttons or links that would allow us to invalidate the session and log that application out of CAS. I won't bore you will the politics of the logout button. Sigh. Thanks, Bryan Wooten [email protected] Work: 801.585.9323 Cell: 801.414.3593 From: Scott Battaglia [mailto:[email protected]] Sent: Thursday, July 08, 2010 7:50 PM To: [email protected] Subject: Re: [cas-user] useSession=false problem What order do you have the filters in? Also, is there a reason you don't need sessions? On Thu, Jul 8, 2010 at 1:26 PM, Bryan Wooten <[email protected]<mailto:[email protected]>> wrote: When I set useSession=false in the Cas20ProxyReceivingTicketValidationFilter I get this after I : Firefox has detected that the server is redirecting the request for this address in a way that will never complete. If I set renew=true in conjunction with use=Session= false I can never get off the CAS login page. Any ideas? Thanks, Bryan Wooten [email protected]<mailto:[email protected]> Work: 801.585.9323 Cell: 801.414.3593 -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
